So by the time the request gets to to Access Gateway (Ag) or the backend, the Ag or backend believe the request is a HTTP request not a HTTPS request. So If the Ag or backend generates a redirect the location it will specify will likely be a HTTP (port 80) reference rather than a HTTPS (port 443) reference.

But that gets passed to the Ag on port 80, the Ag may detect the "https" but when the Ag passes the request to the backend the backend does not know it is HTTPS request.

So if the backend responses with a 302 redirect it will generally be a 320 redirect to the HTTP (port 80) location eg it returns :

HTTP/1.1 302 FoundLocation: http://www.example.com/mainsite/

That response is returend back to the client, and the client then tries to contact the site www.example.com on port 80, and gets a reject since the SSOffloader /F5 proxy is listening on server on HTTPS (port 443) and not on HTTP (port 80) - so the client gets an error response.

Resolution:

The solution for Access Gateway is to use the mod_headers apache module to fix the returned Location: and change any that refer to a http:// to a https:// .